When using Email OTP with MFA API “/mfa/associate” the following error occurs:
There is an error response of “oob_code is expired” when authenticating with the received 6-digit code.
The expiration date of the MFA token set at the time of authentication is 10 minutes, but the “oob_code is expired” error is shorter than 10 minutes occurring in time.
The oob_code expired error reflects an issue with the code expiry, not the MFA token expiry, which looks like they are not linked.
For the Email/SMS OTP code for MFA by default expiry time is 5 Minutes.
The code length is 6 characters and expires after 5 minutes. A user cannot fail more than 10 times an hour to validate an Email OTP.
Please note that MFA token expiry is different from OTP expiry, both are not configurable.